What about security testing? External penetration testing is one thing, but can developer testing help in any way?

Committing to developer testing doesn’t mean abandoning all other aspects of software development like good object-oriented design, use of design patterns, domain-driven design, or the OWASP top threat list. That said, some developer testing concepts may be quite helpful.

Contracts, especially preconditions, will obviously help when it comes to input validation. Minding the domain-to-range ratio will ensure better input values and potentially protect from vulnerabilities like buffer overflow. Equivalence partitioning may be used to identify classes of invalid inputs like SQL injections, while formalized boundary value analysis can help in identifying edge cases between valid and invalid input.

Generative testing is also relevant in the context of security testing. One can use it to either generate random values to ensure that the application handles any input correctly, or to generate inputs that are malicious on purpose.